\subsection{Contribution}
\label{sec:contribution}

We address the lack of meaningful trust labels in SELinux.  This is done by separating the label of a file from superficial characteristics like location and instead base trust on the chain of modifications that have a direct causal effect on the content of the file.

We also address two common name resolution vulnerabilities.  The TOCCTOU vulnerability is defended by allowing a file to be first opened and then checked to verify that it is a trusted file.  A direct corollary of this workflow for verifying a file is that path resolution vulnerabilities can also be defended by canonicalizing the path while the file is open.

Both of these contributions rely on the basic mechanism of endowing a file with a set of immutable records of modifications to the file.  This information is sufficiently detailed to detect many instances of intrusion that are entirely omitted from a trust model based on location.  Namely, a privileged process is authorized to overwrite any file, but most programs should not modify a given file.  By tagging these events, an access policy can now account for an infected root process.


